Matthew Weier O'Phinney-3 wrote:
>
> (In 2.0, we will make escaping the default within Zend_View, and require
> you to explicitly ask for raw data if you don't want escaping.)
>
that will be much better!
hmm sometimes if i have a complex query with joins to alot of tables ... and
i dont have time to find out whats the ZF way to do things ... can i use
$val = escapeSql($this->getRequest()->getParam('username')); // is there a
"escape SQL" function?
$db->fetchAll("SELECT * FROM Users WHERE username = '" . $val . "'")
and u meant not just Zend_Db_Select right? u refer to the quoting mechanism.
Zend_Db_Select by itself just gives a normal SQL right? is
quoteInto()/where() etc that escapes for SQL? what if i need to escape
something not in where? maybe in the joins or having or something else?
--
View this message in context:
http://www.nabble.com/Security---Preventing-SQL-Injections%2C-XSS-etc-tp23900449p23907576.html
Sent from the Zend Framework mailing list archive at Nabble.com.
